The headline of this edition is the account of Cody Brown, who had $ 8000 of bitcioins stolen from his online wallet at Coinbase. He was targeted after speaking out about Coinbase’s unsatisfactory response to hacking incidents. Why is this a story at all? Because the thieves bypassed the SMS-based two-factor authentication system, simply by convincing Verizon to transfer control of the account to one of the thieves.
Remember, 2FA is only as strong as the weakest link, and mobile phone numbers are not a very strong protection mechanism.
While the news about data breaches has been tuned down a bit, they still happen on a regular basis. One of the more noteworthy breaches of lately is this breach at a cosmetic surgery clinic. The hackers are attempting to extort both the clinic and its clients using the stolen data, which includes sensitive pre-operation pictures.
The problem with these data breaches is that once the data is out, it’s virtually impossible to reclaim control over your data.
Next up is an illustration that building secure software is far from trivial, even if you’re one of the top players on the Internet. A bug bounty hunter disclosed that Twitter was running vulnerable code, that allowed an attacker to tweet as any user. The report of the vulnerability has been disclosed, and a bounty of $ 7560 has been awarded.
And like always, we’ll end the digest on a positive note. During the annual WWDC conference, Apple announced a bunch of new features for its browser, Safari. Apart from support for technologies such as WebRTC and WebAssembly, the new Safari will also bring a technology named Intelligent Tracking Prevention, aiming to reduce cross-site tracking practices.
In the coming month, you can catch me speaking at the following events:
- imec-DistriNet is hosting an evening session on eliminating vulnerabilities in software, with speakers from academia and industry. More information and (free) registration.
- On June 22nd, I’ll be giving a similar talk at Voxxed Days Luxembourg
As usual, you can find the full list of events on my speaking page.